Hi all I have troubles using the right AWS role for the data DataHub #troubleshoot

Hi all, I have troubles using the right AWS role f...

rich-pager-68736

09/30/2022, 8:07 AM

Hi all, I have troubles using the right AWS role for the datahub actions deployment (acryldata/datahub-actions:v0.0.8) in EKS. I have annotated my serviceaccount with the right role to assume and the pod is using that sa. This role has the permissions to e.g. read from Glue tables. However, when I run an ingest using datahub actions, it is failing with the following message:

ClientError: An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

From the debug logs I can see that it has already assumed the correct role:

Copy code

...
    self = <botocore.client.STS object at 0x7f0f4f853190>
     operation_name = 'AssumeRoleWithWebIdentity'
     api_params = {'RoleArn': 'arn:aws:iam::XXXXXXXXXX:role/ttgsl-test-iam-edp-datahub-gms',
                   'RoleSessionName': 'botocore-session-1664525045',
...

Why does it try to assume a different role when it can use the attached role? What am I missing? Thanks!

bulky-electrician-72362

09/30/2022, 9:56 AM

@dazzling-judge-80093 might be able to help here

dazzling-judge-80093

09/30/2022, 9:59 AM

Somehow botocore got this role, so I think either it is attached or defined somewhere

gray-shoe-75895

10/03/2022, 9:37 PM

There’s two pieces at play here - the AWS SDK will read your

~/.aws

configs and automatically do some role assumption. Next, the datahub sdk will look at your recipe config and try to assume the roles listed there

gray-shoe-75895

10/03/2022, 9:38 PM

In your case, it looks like botocore (the aws sdk) is already assuming the right role, so you should be able to remove any roles from your yml recipe config and things will work

rich-pager-68736

10/04/2022, 7:00 AM

Hi @gray-shoe-75895, the recipe I am using already sets all the AWS-related attributes I could find to

null

. It looks like this:

Copy code

source:
    type: glue
    config:
        env: DEV
        aws_region: eu-central-1
        aws_access_key_id: null
        aws_secret_access_key: null
        aws_session_token: null
        aws_profile: null
        aws_role: null

I just connected to the container and there is no

~/.aws

directory. However, some AWS-related env variables are defined, like

AWS_ROLE_ARN

and

AWS_WEB_IDENTITY_TOKEN_FILE

, created by EKS since I annotated my ServiceAccount and use that SA in my pod.

rich-pager-68736

10/04/2022, 10:18 AM

Found the issue and working now. I had a typo in the trust relationship, therefore the serviceaccount could not assume the right role.

gray-shoe-75895

10/04/2022, 6:51 PM

Got it - is there anything we could’ve done to make this easier to debug?

rich-pager-68736

10/05/2022, 6:27 AM

I don't think so. The next person encountering such a situation will hopefully learn to look for typos from this thread 😉 Thanks for your support.

8 Views

Open in Slack

Previous Next